1. Technical Field
The present invention relates in general to the field of computers, and, in particular, to establishing a secure connection between a client computer and a server computer. Still more particularly, the present invention relates to an improved method and system for allowing each of multiple users of a single client computer to establish a Secure Sockets Layer (SSL) secure connection, which is unique for each user, between the client computer and the server computer.
2. Description of the Related Art
Personal computers and computer networks, including the Internet, are often designed to be open and flexible for ease of access to users. However, this openness presents security problems when confidential communications between computers are desired, such as when transmitting messages containing financial information, business secrets, personal information, etc. To provide security between two computers in such a network, secure connections are established between the computers to ensure that no other computer can “listen in” on the communication. To establish such a secure connection between computers with browsers and servers over insecure links that make up the Internet, the Secure Sockets Layer (SSL) system was developed.
SSL is a network protocol that provides data privacy for the bulk of the browser-to-Web server electronic business (e-business) applications on the Internet. Besides being able to establish secure connections between servers and computers with browsers, SSL also provides a protocol for encrypting messages and detecting message tampering, so users on both sides of the connection know if anything was changed in transit. To establish the secure browser (client) to server connection, SSL utilizes encryption, the process of translating data in a secret code.
As a general process, encryption typically is performed using a key, which is a set of characters (password) having a predetermined value. The key is applied in an algorithm to a string or block of unencrypted data to produce encrypted data, or to decrypt encrypted data. Encryption that uses the same key to encrypt and decrypt the data is known as symmetric-key cryptography. Symmetric-key cryptography systems are simple and fast, but their main drawback is that the two parties (one encrypting the data and the other decrypting the encrypted data) must somehow exchange the key in a secure way.
Another type of encryption, known as asymmetric encryption, avoids this problem by using two keys: a public key and a private key. The public key is available to any sender to encrypt data to be sent to a receiver. The private key is available only to the receiver to decrypt the encrypted data. Alternatively, the private key may be used to encrypt the data and the public key is used to decrypt the encrypted data. A popular algorithm used to create public and private keys is RSA, named in 1977 for its inventors Ron Rivets, Adi Shamir and Leonard Adleman. RSA uses two random large prime numbers that are multiplied together and manipulated with modulus arithmetic to create a private key that can decrypt any message that has been encrypted with the public key. Other popular cryptographic algorithms (cipher suites) include those based on a Secure Hash Algorithm (SHA), an Advanced Encryption Standard (AES) used by U.S. Government organizations, a Data Encryption Standard (DES) and Hashing Message Authenticating Code (HMAC).
A popular method using asymmetric encryption is known as a Public Key Infrastructure (PKI). PKI uses a certificate authority (CA) that issues and verifies digital certificates, which include public keys available to any party and private keys sent only to the party that requested the digital certificate.
While very secure, asymmetric encryption is slow and requires much computer processing time. Therefore, a popular blend of the two encryption technologies involves encrypting a symmetric key (for both encoding and decoding messages) and sending the encrypted symmetric key to a receiving computer, which then decrypts the symmetric key so that both the sender and receiver have a clear copy of the symmetric key. This use of both symmetric and asymmetric keys is a key feature of how SSL establishes secure links between computers.
To establish a secure connection between two computers (a client computer and a server), SSL utilizes encryption in its protocol for authenticating the identity of the two computers. The client computer and server exchange their digital certificates and confirm their authenticity by using keys in the digital certificates to encrypt/decrypt special identity confirmation messages. After authenticating the identity of each other to establish a secure connection, the client computer and the server are then able to share a private key, which can then be used to securely transmit messages between the computers. The digital certificate for the client computer is stored in the client computer's memory in a database called a keyfile, which must be accessed to establish a secure link between the client computer and the server.
In the prior art, as depicted in FIG. 1, a client 10 makes its keyfile 12 automatically accessible to establish a secure connection 20 through the use of a property file 16. Client 10 is a computer, which in the prior art is used by only a single user.
Property file 16 is a database that includes a password 18 that opens keyfile 12, making keyfile 12 accessible to server 14 to authenticate client 10's identity to establish secure connection 20 with server 14. However, in the prior art, only one keyfile 12 is associated with client 10 in the SSL scheme. Thus, if there are multiple users of client 10, each such user cannot establish an SSL secure connection 20 with server 14. While the multiple users are generally considered to be separate individual persons, they may alternatively represent multiple threads in a computing process.